Announcement

Collapse
No announcement yet.

Saved query for enabled users in an OU

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Saved query for enabled users in an OU

    Hi Guys,
    I need some assistance.

    Does any one have a custom LDAP query that will allow me to view all enabled users in a specific OU.
    I want to create a saved query in AD users and computers so that I can check this at anytime.

    Help will be appreciated.

    Eren

  • #2
    Re: Saved query for enabled users in an OU

    Create a new query, point the Query Root to the OU you want to monitor, click "Define Filter", select "Custom Search" from the drop down box, click Advanced tab and paste in the following LDAP filter:

    Code:
    (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
    For disabled users the filter would be:

    Code:
    (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: Saved query for enabled users in an OU

      Thanks Guy T for the quick quick response. Appreciate it.
      Eren

      Comment


      • #4
        Re: Saved query for enabled users in an OU

        Hi Guy T,

        I wonder if you can help with this one.

        I need to write another saved query to find all users which has a description of lets say "abcdefgh" in OU A which contains child OU's B, C, D

        I want to exclude OU D by using the " ! " operator somehow as I know that OU D does contain users with desc. "abcdefgh" and dont want these to appear in my results.

        I have tried the ffg unsuccessfully

        Code:
        (&(&(objectCategory=person)(objectClass=user)(description=abcdefgh))(OU=A,DC=test,DC=test,DC=test)AND(!OU=D,DC=test,DC=test,DC=test))

        Comment


        • #5
          Re: Saved query for enabled users in an OU

          Quick answer: you can't

          Long answer:

          1) there is no such attribute "OU"
          2) One might think that you can filter the user accounts based on tuple matching of their distinguishedName attribute (i.e.: cn=guyt,ou=Sub1,ou=accounts,dc=domain,dc=com), but the problem is that this is a dn-syntax valued attribute and you can match only based on full DN (partial matches will fail):

          (distinguishedName=*,ou=Sub1,ou=accounts,dc=domain ,dc=com) <== WRONG
          (distinguishedName=cn=guyt,ou=Sub1,ou=accounts,dc= domain,dc=com) <== OK

          You will have to find another way to filter out the accounts in the sub-OU. Possible candidates could be:

          1) the accounts in the OU are all members of certain security group and the group does not contain members from outside the OU:
          (!(memberOf=cn=grpSomeName,ou=Groups,dc=domain,dc= com))

          2) The accounts in the sub-OU all share a common attribute that is not used by accounts outside the sub-OU:
          (!(someAttribute=yadayada))

          3) you can use something like ADModify to stamp all the accounts in the sub-OU. i.e. you could set extensionAttribute10 for all the accounts in the sub-OU to the DN of the parent OU and use a query similar to this:
          (!(extensionAttribute10=ou=sub1,ou=Accounts,dc=dom ain,dc=com))
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment


          • #6
            Re: Saved query for enabled users in an OU

            Thanks Guy, I understand now.

            I've created 2 separate queries and selected "Include sub containers" but not pointed the "query root" to the OU I dont want to search.

            Works fine for now

            Appreciate the help.
            This was my first post here, and am actually very impressed.

            You will definietely find me here a lot

            Eren

            Comment

            Working...
            X